Okay so I have been given this amazing opportunity to redesign our College network using VLANS. I have a design in mind and would just like some pointers and input. First let me give you some background.

We have 3 campuses with their own domain controller(AD, DHCP, DNS) and they are connected via wireless links. I am starting the process with one of the smaller campuses. This campus has about 200 computers and about 20 switches and another 15 printers. We have 5 classrooms each with a printer and a lecturer computer and 30 - 36 student computers. And the one server.

The vlan design that i first thought about was using the range 10.0.0.0 across all 3 campuses. My thought behind it was as follows:And then device that into /24 vlan inside the campus as follows

10.1.1.0 /24 Vlan 1 (Switches)

10.1.2.0 /24 Vlan 2 (Servers)

10.1.3.0 /24 Vlan 3 (Printers)

10.1.4.0 /24 Vlan 4 (Staff)

10.1.5.0 / 24 Vlan 5 (Students)

My thought behind it was so that i can look at an IP address and would be able to identify exactly if it is at the rite place. 10.1.3.45 would identify campus 1 (10.1.x.x) and vlan 3 (10.x.3.x)

After some thought i decided to change it up a little bit and divide the printers into the staff and student vlans so that in case a network link is down staff and students will still be able to print and admin staff would also still be able to print and also if 30 students need to print the print job does not need to travel the whole network just to print in the same location as that PC. So this is what my final thought is what my vlans should be

1) Don't stack your subnets unless you will NEVER, EVER have more than 253 hosts on it in the next 10 years. If you (today) have less than 253 hosts and don't expect them to grow much in the next 5 years then leave at least 3 class C subnets between each base IP address. (i.e. 10.1.4.0/24, 10.1.8.0/24, 10.1.12.0/24) This way you can expand beyond 253 hosts by just changing your subnet mask from /24 to /23 or /22. You can increase your range from 253 hosts to 2046 by just changing the mask.

2) VLANs are for security (switch enforced isolation) not performance. Ensure you are using them for the intended purpose. But considering where they will be used I think you are in line with the intended purpose.

Jared Busch yea /24 is big enough for the students on this network. I was thinking for future if we get more computer labs we i will be able to add another vlan for students. eg 10.1.5.0 /24 Vlan 5 but i see what George1421 is saying. I was told thought to not use more than 512 hosts per network as it can cause broadcast storms if you go higher than that. Ill tweek the Vlans a bit with the vlan stacking in mind.

I was told thought to not use more than 512 hosts per network as it can cause broadcast storms if you go higher than that.

You will be OK for up to 2048 hosts per subnet using tcpip. For broadcast based networks (netbeui, DECNet, IPX/SPX) you should keep the max around or less than 512. Again, you are leaving room for future growth. Changing your subnet mask is a job, renumbering a subnet to expand it is a BIG PITA job, and not something I would like to do more than once in my life.

I like what everyone has to say. I would avoid VLAN1 for the nwtwork equipment because this is the default vlan tag for switches. Some smart computer student would accidently be right on your network netowk management vlan with little effort.

2) VLANs are for security (switch enforced isolation) not performance. Ensure you are using them for the intended purpose. But considering where they will be used I think you are in line with the intended purpose.

Not necessarily. Using VLANs to segment traffic (VoIP in particular but IP Video too) makes QOS tagging a MUCH more straightforward proposition. Especially when you combine it with structured cabling where ports have defined roles. In my case I'm using both physical switch and VLAN segmentation to improve availability and performance.

If the switches support it I would also not stack my VLAN numbers either. I use the 10-20-30-40 etc model. The big boys count in 100s so they can not only segment traffic types but customers from each other.

I don't mean to be petty, but while VLANs are useful for security, it isn't their only benefit. They can improve performance by isolating chatty clients to a small group of ports or switches. They save ports and cabling for backbones, and they have a whole host of uses if you add a WLAN.

2) VLANs are for security (switch enforced isolation) not performance. Ensure you are using them for the intended purpose. But considering where they will be used I think you are in line with the intended purpose.

Hey, its great my comment is sparking discussion.

If you are isolating chatty clients into smaller groups for performance reasons, this will not really help. Consider this: VLANs on the same switch (and up-link ports for that matter) all compete for the same switching fabric bandwidth. There is only one switching fabric so all vlans share the same bandwidth. Think about it, if you have an up-link vlan trunk port with one vlan with very chatty clients and one vlan using a timing critical protocol. Those chatty clients could potentially impact the timing critical protocol even though they are in their own vlan, because they are crossing the same wire and consume the same bandwidth.

I have to concede that if QoS is setup on a per vlan basis, these vlans will get first chance at the transmit queue, but they all traverse the same path.

However, isolating on vlans will prevent clients with worms and other issues from causing arp requests to flood the entire network. Its always good practice to separate groups into vlans for the purposes of security, to prevent broadcast storms, ease of troubleshooting and just general organization.

Think about why you want to split staff, general PCs and printers. If you will not be implementing security between them - don't.

VLANs are Virtual LANs - just away of splitting LAN segments logically instead of physically. So the 2 key uses are to split segments/broadcast domains and to enable security at a usbnet level on the same physical hardware.

If you need to send all 3 vlans to a switch then there is no advantage at Layer 2 as you are extending all 3 broadcast domains to that point.

How does printing work? Is it via print servers? If so then have the print servers in a central server vlan but leave PCs and printers in the same user device vlans.

I would then split the user vlans by physical locaitons - so dont have the same vlan over all 20 switches split them into soime grouping that follows the physical connectivity.

2) VLANs are for security (switch enforced isolation) not performance. Ensure you are using them for the intended purpose. But considering where they will be used I think you are in line with the intended purpose.

Hey, its great my comment is sparking discussion.

If you are isolating chatty clients into smaller groups for performance reasons, this will not really help. Consider this: VLANs on the same switch (and up-link ports for that matter) all compete for the same switching fabric bandwidth. There is only one switching fabric so all vlans share the same bandwidth. Think about it, if you have an up-link vlan trunk port with one vlan with very chatty clients and one vlan using a timing critical protocol. Those chatty clients could potentially impact the timing critical protocol even though they are in their own vlan, because they are crossing the same wire and consume the same bandwidth.

I have to concede that if QoS is setup on a per vlan basis, these vlans will get first chance at the transmit queue, but they all traverse the same path.

True, but remember not all traffic is created equal. Some traffic is more sensitive to latency and packet loss than others. Things like VoIP streaming (as opposed to SIP which does another job) and RTSP and SCADA over IP tend to be less tolerant of packet loss and high latency. Within a single local LAN this isn't that big a deal. Get a switch capable of handling the job. When you have more than one site and must pass traffic, however, things become more interesting. Now you have multiple "classes" of traffic trying to go over a WAN connection.

That's where using VLANs and QOS tagging is your best friend. Sure you can TRY to use QOS tagging at the TCP/UDP port level. You end up with an enormous QOS table in your router that becomes a processing resource hog in its own right. Or, you put each of those services on its own VLAN and tag the VLANs at the switch. You connect a trunk to the router and let your switch decide what packets get priority.

1st Post

I agree with George1421. Don't stack your subnets, as I have learned the hard way, we have had to increase our wireless subnet 3 times in the last three years. More and more mobile devices are showing up. Do not put your switch management in vlan1 again a lesson learned.

Okay so all of you guys had very good points so i sat back and redid everything with your comments and recommendations in mind so here it is.

VLAN 20 - Network VLAN 10.1.20.0 /24

VLAN 40 - Server VLAN 10.1.40.0 /24

VLAN 60 - Staff VLAN 10.1.60.0 /24

These vlans can be increase to /23 and /22 (enough for 2000 users think that will be thats 1000% growth for staff i think?? haha) also this change in subnet will still have the easy vlan identifier in the ip address eg. 10.1.20.0 /22 will be from 10.1.20.0 - 10.1.24.254 you will have the two from the 20 to identify the vlan 20. I just want it to be easy to look at and you know if its the right or wrong vlan. The staff vlan includes printers in the admin offices.

Okay next we have the student classroom vlans

VLAN 80 - Student LABS Bits and peaces 10.1.80.0 /26

- Default Gateway 10.1.80.62 /26

- We have some student labs with 6 computers that are purely used to connect to some communication device using a com port and is only on the network for updates. we have 3 or 4 of these classrooms and will all fall under 1 vlan

VLAN 81 - Student LAB 1 10.1.81.0 /26

- Student LAB 1 Printer will be 10.1.81.1 /26

- Student LAB Default Gateway 10.1.81.62 /26

This will repeat for each lab that we have. (6 labs in total)

VLAN 100 - Wireless VLAN 10.1.100.0 /26

Hope all of it makes sense. I appreciate the help end knowledgeable tips :)

Being a student of VLANs at this time, I have a question on the security of using 10.1.x.x for all of the VLANs. Wouldn't a mask of 255.255.0.0 make all of the VLANs visible ? Wouldn't it be better to use 10.1.x.x for the student areas and 192.168.x.x for staff VLANs ?

I fear you may be getting into micromanaging to much. A building containing 200-250 hosts will function fine without a VLAN for general day to day stuff at 100mb.

If any of the room are CAD/graphic/movie design and are throwing some big files around they are benefit from a seperate subnet, but as you have 20 switches I'm going to guess that's one per room? Meaning file transfers around that room are already isolated from the rest of the network via the switch. As per George1421s post about uplinks, unless these files are using the uplink bandwidth they are of little concern.

Set a /22 subnet for the building and you have 1000 usable addresses, no point skimping as the size of the pool doesn't matter. 512 is certainly not a hard limit for number of hosts in a subnet either, if they're only opening a few word/excel docs every day you can go much higher.

@Thomas the network will use the mask 255.255.255.0 so the networks will be 10.1.0.x, 10.1.1.x, 10.1.2.x etc.

We have about 300 devices on this network, then another campus of 300 and one of 1000+

Um im using a 3com 5500G EI multilayer switch - the reason why i want to use vlans is for security, to keep student and admin staff separate also we used to have two entirely separate networks for student and staff and that is a pain as the staff cannot access some features as they are on the student network. Having vlans you get best of both. Also im trying to implement vlans across the whole network as i am planning on implementing voip somewhere along the line and would be easier to just add a new vlan. For me Vlans also just seam neater.

I don't think its overkill or micromanaging. I just want to have more control of my network.

I was in agreement with you until you started carving up the class C subnets. With the 10.x.x.x space does the sub class C ranges complicate things over a straight /24 mask? My concern is you adding more management overhead by carving this up into smaller ranges. Will it work yes.

I liked how you started using the 3rd octet in the IP address as the VLID. This make it easier to manage if you see 10.20.81.x you know that IP address should be on vlan 81.

Once last comment is with the router IP address. When we setup a new network we always make the .1 address the router. Then this is consistent without regards to the size of the subnet mask. The router will always be the subnet base address + 1. I know there is another standard as the last IP address of a subnet. But if you start messing with the subnet mask this address will shift around. Just be careful you don't box yourself into a corner with your standards.